This bug was reported to Qualcomm, the makers of Eudora, at the end of August 1998 and was fixed immediately with a patch. It is highly recommended that anyone running version 4.00 or 4.01 of Eudora for Windows should upgrade to version 4.1. The update is available at:
http://eudora.qualcomm.com/pro_email/updaters.html
Attached is my original letter to both Qualcomm and Microsoft describing the bug.
Over the last week there has been a great deal of news
coverage regarding the buffer overflow errors in the Outlook
Express and Netscape Email readers. These errors were found
by researchers from Finland. According to news reports, Eudora is
immune to these same errors. However, I believe I have a much more
serious security hole in the Windows 95 version of Eudora 4.0 and 4.01.
This hole allows a malicious person to create a booby-trapped Email
message that will run a Windows executable program attached to the message.
All that is required to activate the booby-trap is for the person reading the Email
message to click on a link in the text of the message. The link
appears in the message text as a legitimate link to a page or article
on the Web.
The program can potentially cause all sorts
of damage such as erasing the hard disk, installing a virus
of the victim's computer, or stealing private files and
Email messages. The program to be executed can be either
a standard Windows .EXE file or a DOS batch file.
The booby-trapped Email message requires no special
skills or programmer utilities. The text of the message
can be typed directly into Eudora as HTML or copied from
a file. The program to be executed is sent as a
standard attachment in Eudora.
I believe that the security hole was introduced in Eudora 4
with adoption of Microsoft's Internet Explorer 4 browser to
display HTML-based Email messages. To actually fix the problem may
take some work. The booby-trap Email message exploits a number of anomalies
in Eudora 4 and Internet Explorer 4. It is unclear exactly who
will need to fix the problem, whether it is Qualcomm, Microsoft, or both.
There does exist a work-around to the problem which is
to turn off the Microsoft Email viewer in Eudora. However, using
this fix means that users lose the ability to view
HTML Email messages. The bug also seems to go away if
Internet Explorer 3 is installed on the machine instead
of IE4 or if Netscape Navigator is running at the same time
as Eudora.
I've created a demo Email message of the security
hole that runs a harmless program that prints out some
text about the problem. It was tested on 6 different
systems running Eudora 4.0 and 4.01 with IE4 and the demo worked
on all of these systems. All of the systems were running
Windows 95. The security hole likely exists on
Windows NT and Windows 98 also, but we haven't had a
chance to verify this yet.
The demo version uses the following short "pitch letter":
------------------------------------------------------------------
News flash -- Clinton resigns -- full story at the New York Times:
http://www.nytimes.com
------------------------------------------------------------------
The link "http://www.nytimes.com" is hilighted by Eudora and if
it is clicked on, is booby-trapped to run an executable name
"BADNEWS.EXE" instead of going to the New York Times Web site.
This executable is attached to the Email message but no
attachment icons are displayed by Eudora at the bottom of
the message. BADNEWS.EXE is a simple C program that prints
out the following text:
--------------------------------------------------------------------------------
This is a Windows .EXE file which was automatically executed
by Eudora from an Email message. This program is harmless, but just as
easily could have been a Trojan horse program that erased your hard
disk, infected your computer with a virus, or stole all of your
private files.
The program was sent to you as a hidden attachment to the "Clinton Resigns"
Email message. (No, he didn't really resign!). Because of a number of
security holes in Eudora, this .EXE file was run by mistake when you clicked on
the booby-trapped link to the New York Times.
Reading Email in Eudora is no longer safe. As a temporary solution, we
recommend immediately turning off the Microsoft viewer in Eudora:
1. Select the "Options..."
command on the Eudora "Tools" menu
2. Select the "Viewing Mail"
icon in the "Category" list
3. Click off "Use Microsoft's
viewer"
4. Push the "OK" button.
Hit enter to exit -->
--------------------------------------------------------------------------------
At Phar Lap, we discovered the key holes in Eudora 4/IE4 while creating client/server
applications based on HTML and JavaScript for our realtime operating
system product line (http://smallest.pharlap.com and http://jshelper.pharlap.com).
We have also found a number of other major security holes in Eudora 4 that are
not quite as serious. We haven't fully characterized these problems yet
so I can't pass along any information about them quite yet.
My one question is: what is the best way to proceed to get the
booby-trapped link security hole fixed?
Richard M. Smith
PS. None of the links in this message have been booby-trapped! :)